Google Publicize Windows Zero-Day Vulnerability Before Microsoft Could Patch It

Google publicized a zero-day vulnerability in current versions of Windows just days after reporting the problem to Microsoft.

Yes,no fix yet from Microsoft.

This is not the first time Google has disclosed a Windows bug to the public. They did it in January for Windows 8.1. Since Google has a policy of notifying the public of unpatched vulnerabilities in third-party software seven days after reporting them to the company concerned if it sees them being actively exploited.

The zero-day vulnerability in Windows takes the form of a local privilege escalation within the Windows kernel, allowing malicious processes to escape the sandbox which would ordinarily limit the damage they can do.

The vulnerability can be exploited through a browser — though Google claims that Chrome is immune thanks to its use of a tool known as win32k lockdown mitigation — simply by visiting an affected website.

Although Microsoft seemed displeased but was reluctant to issue a statement regarding the zero day bug. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson later told Venture Beat.

Blog post also notes that Google reported a zero-day flaw (CVE-2016-7855) in Flash Player to Adobe at the same time as it contacted Microsoft. Adobe pushed an emergency patch for its software last Wednesday. Since some sources reported that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated.

So users are advised to update their Flash software now and apply Windows patches as soon as they become available.